smtpd: use after free

Hi,
smtpd on my mailserver crashed yesterday. I'm building/running my own
snapshots, this one includes the latest commit to smtpd[1].

Backtrace from gdb, sorry no symbols but it looks like a use after free:

  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  _rthread_mutex_timedlock (mutexp=0xdfdfdfdfdfdfdfef, trywait=0, abs=0x0, timed=0) at /home/src2/lib/libc/thread/rthread_mutex.c:153
  153     /home/src2/lib/libc/thread/rthread_mutex.c: No such file or directory.
  (gdb) bt
  #0  _rthread_mutex_timedlock (mutexp=0xdfdfdfdfdfdfdfef, trywait=0, abs=0x0, timed=0) at /home/src2/lib/libc/thread/rthread_mutex.c:153
  #1  0x000001deb50fd1cb in tls_server_conn (ctx=0x1de8d4cd000) at /home/src2/lib/libtls/tls_server.c:55
  #2  tls_accept_common (ctx=0x1de8d4cd000) at /home/src2/lib/libtls/tls_server.c:355
  #3  0x000001deb50fd068 in tls_accept_fds (ctx=0x1de8d4cd000, cctx=0x7f7fffff4fa0, fd_read=16, fd_write=16) at /home/src2/lib/libtls/tls_server.c:389
  #4  tls_accept_socket (ctx=0x1de8d4cd000, cctx=0x7f7fffff4fa0, s=16) at /home/src2/lib/libtls/tls_server.c:381
  #5  0x000001dc81383302 in ?? ()
  #6  0x000001df616ada5f in event_process_active (base=0x1dec51c3000) at /home/src2/lib/libevent/event.c:333
  #7  event_base_loop (base=0x1dec51c3000, flags=<optimized out>) at /home/src2/lib/libevent/event.c:483
  #8  0x000001dc813a2adb in ?? ()
  #9  0x000001dc81372fa1 in ?? ()
  #10 0x0000000000000000 in ?? ()
  (gdb) frame 1
  #1  0x000001deb50fd1cb in tls_server_conn (ctx=0x1de8d4cd000) at /home/src2/lib/libtls/tls_server.c:55
  55      /home/src2/lib/libtls/tls_server.c: No such file or directory.
  (gdb) p ctx
  $1 = (struct tls *) 0x1de8d4cd000
  (gdb) p *ctx
  $2 = {config = 0xdfdfdfdfdfdfdfdf, keypair = 0x1de8d4fce80, error = {msg = 0x0, num = -1, tls = 0}, flags = 2, state = 0, servername = 0x0, socket = -1, ssl_conn = 0x0,
    ssl_ctx = 0xdfdfdfdfdfdfdfdf, sni_ctx = 0x0, ssl_peer_cert = 0x0, ssl_peer_chain = 0x0, conninfo = 0x0, ocsp = 0x0, read_cb = 0x0, write_cb = 0x0, cb_arg = 0xdfdfdfdfdfdfdfdf}

The only thing that sticks out in maillog during the time
/var/crash/smtpd/*.core was created is this one which is also the last
log entry:

  mail$ gzcat /var/log/maillog.0.gz | tail -2
  Mar 29 18:48:44 mail smtpd[63792]: smtpd: process dispatcher socket closed
  2021-03-29T19:00:01.228Z mail newsyslog[35681]: logfile turned over
  mail$ ls -l /var/crash/smtpd/              
  total 8256
  -rw-------  1 root  wheel  4201000 Mar 29 18:48 67436.core

Let me know if there's anything else that I could supply.

[1] https://github.com/openbsd/src/commit/930b1de678e1c758155aca94ecbdafd8188d1647